This is a refresh of a patch I've sent quite some time ago (in April).That old patch introduced a flink() syscall without proper securitymeasures. I've now integrated a proposal for how to fix it.

int flink (int fd, const char *newname)

The file associated with fd is linked with the newname. But this willonly succeed if the file descriptor fd was created with the O_CANLINKflag set. It is not possible to set O_CANLINK afterwards,fcntl(F_SETFL) cannot set the bit, this is important.

The changes to implement this are pretty trivial. The patch consists ofmore than a few lines only because the link code is reusing as much aspossible in the link() and flink() code and the O_* flags definitionswere reformatted.

The purpose of this change is two fold.

For now it is possible to use this functionality in a couple of ways:

~ we can create quasi-anonymous files. Like

fd = open ("RANDOM", O_EXCL|O_CREAT|O_CANLINK|O_RDWR, 0600); unlink ("RANDOM"); ... do some work ... if (work is auccessful) flink (fd, "REALNAME"); close (fd)

~ file descriptors which are passed to a process (by inheritance fromthe parent, through Unix sockets, ...) can be linked to the filesystem.

Longer-term I think the kernel should support real anonymous files whichcan optionally be created with the O_CANLINK flag. This would "only"save the unlink() call in the example above but not having the file atall in the filesystem namespace eliminates one more possible attack vector.